Bug 1085977
| Summary: | Require openscap dict and oval support for CentOS | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dave Sullivan <dsulliva> |
| Component: | openscap | Assignee: | Šimon Lukašík <slukasik> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dkopecek, dsulliva, jonte.regnell, openscap-maint, plautrba, pvrabec, slukasik, theinric |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openscap-1.1.0-1.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-22 14:37:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thanks for the report! However, it is not clear to me what exactly is requested. Am I right supposing that OpenSCAP internal CPE dict is requested to include CentOS CPE strings? Like: cpe:/o:centos:centos:6 cpe:/o:centos:centos:5 cpe:/o:centos:centos:4 ? openscap.git e09f29496081a0525cda0b18299bccb9803baf76 Simon, yes to Comment #1, looks like we are in post now so all is good. Thx...Dave Btw, I think we needed something similar for Oracle I can't remember if I created a BZ for that, but I'll check on it soon. Well, this is actually already released in Fedoras. Thanks for report. |
Description of problem: Currently investigating using preupgrade-assistant to perform premigrate ssessment Version-Release number of selected component (if applicable): [root@preup_centos_test preupgrade-assistant]# rpm -qa | grep openscap openscap-0.9.12-1.el6.x86_64 [root@preup_centos_test preupgrade-assistant]# cat /etc/centos-release CentOS release 6.5 (Final) How reproducible: Noticed that our openscap files didn't include references to centos. [root@preup_centos_test CENTOS6_6]# ls /usr/share/openscap/cpe/* /usr/share/openscap/cpe/my-detailed-oval-results /usr/share/openscap/cpe/openscap-cpe-dict.xml /usr/share/openscap/cpe/openscap-cpe-oval.xml /usr/share/openscap/cpe/README tried some hacks to get things to work, not fully understanding openscap cpe dict/oval phracek pointed me to #openscap and slukasik helped me understand how to hack around centos openscap support If we do a walk through <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:6" version="1" check="at least one" comment="redhat-release is version 6" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> <object object_ref="oval:org.open-scap.cpe.redhat-release:obj:3"/> <state state_ref="oval:org.open-scap.cpe.rhel:ste:6"/> </rpminfo_test> [root@preup_centos_test ~]# cat /usr/share/preupgrade/CENTOS6_6/all-xccdf.xml | grep platform <ns0:platform idref="cpe:/o:redhat:enterprise_linux:6" /> [root@preup_centos_test ~]# grep -A 10 "enterprise_linux\:6" /usr/share/openscap/cpe/openscap-cpe-dict.xml <cpe-item name="cpe:/o:redhat:enterprise_linux:6"> <title xml:lang="en-us">Red Hat Enterprise Linux 6</title> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.rhel:def:6</check> </cpe-item> [root@preup_centos_test ~]# grep -A 10 "enterprise_linux\:6" /usr/share/openscap/cpe/openscap-cpe-oval.xml <reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/> <description>The operating system installed on the system is Red Hat Enterprise Linux 6</description> </metadata> <criteria> <criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/> <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:org.open-scap.cpe.rhel:tst:6"/> </criteria> </definition> Now we need to go look at oval:org.open-scap.cpe.rhel:tst:6 [root@preup_centos_test ~]# grep -A 10 "rhel\:tst\:6" /usr/share/openscap/cpe/openscap-cpe-oval.xml points to <state state_ref="oval:org.open-scap.cpe.rhel:ste:6"/> [root@preup_centos_test ~]# grep -A 10 "rhel\:ste\:6" /usr/share/openscap/cpe/openscap-cpe-oval.xml we changed this to <rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> <name operation="pattern match">^centos-release</name> <version operation="pattern match">6</version> </rpminfo_state> as it was originally <rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> <name operation="pattern match">^redhat-release</name> <version operation="pattern match">^6[^\d]</version> <version operation="pattern match">6</version> </rpminfo_state> Once that was done, test showed as instead of not applicable to not checked. oscap xccdf eval --results xccd-results.xml /usr/share/preupgrade/CENTOS6_6/all-xccdf.xml Good note on things that can help doing eval on oval oscap oval eval --results my-detailed-oval-results openscap-cpe-oval.xml Now not checked meant there was an SCE issue, which installation of preupgrade covers So need to file fedora/RHEL bugs to get centos openscap dict/oval support. The abstract part of openscap can lead to confusion. This should help. http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html For the example able checking version we changed to the right package centos-release and then we corrected version to show 6 [root@preup_centos_test ~]# rpm -qa --queryformat "%{version}" centos-release 6 In short openscap dict/oval needs to support CentOS Additional info: